WP-Safety

TomS Vaptcha Security & Risk Analysis

wordpress.org/plugins/toms-vaptcha

Gesture captcha —— Easy for human, hard for robots. Protect the login, register, lostpassword and comment forms, support woocommerce, ultimate member, …

0 active installs v1.1.2 PHP 7.0+ WP 5.8+ Updated Mar 4, 2022
block-spam-commentscaptchatoms-captchatoms-vaptchavaptcha
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is TomS Vaptcha Safe to Use in 2026?

Generally Safe

Score 85/100

TomS Vaptcha has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The toms-vaptcha plugin, version 1.1.2, exhibits a generally strong security posture, characterized by a lack of known historical vulnerabilities and a high degree of proper output escaping. The static analysis reveals a very small attack surface, with no unprotected entry points identified. Furthermore, the absence of critical or high severity taint flows is a positive indicator of secure coding practices concerning data handling and sanitization. The plugin also demonstrates good security awareness by implementing nonce and capability checks for its single identified entry point.

However, there are a couple of areas that warrant attention. The single SQL query present is not using prepared statements, which could pose a risk if sensitive data were involved and the query was constructed with user-supplied input, although the taint analysis did not reveal any unsanitized paths for this query. Additionally, the plugin performs one file operation and one external HTTP request. While not inherently insecure, these operations can introduce vulnerabilities if not handled with extreme care, especially concerning input validation and the origin of the external request.

In conclusion, toms-vaptcha v1.1.2 appears to be a relatively secure plugin with a clean vulnerability history and a well-controlled attack surface. The primary area for improvement lies in adopting prepared statements for its SQL queries to further mitigate potential risks. The limited scope of file operations and external requests, combined with the absence of significant taint flow issues, suggests a low overall risk profile.

Key Concerns

  • Raw SQL query without prepared statements
Vulnerabilities
None known

TomS Vaptcha Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

TomS Vaptcha Release Timeline

v1.1.1
v1.1.0
v1.0.0
Code Analysis
Analyzed Mar 17, 2026

TomS Vaptcha Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
7
499 escaped
Nonce Checks
1
Capability Checks
1
File Operations
1
External Requests
1
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

99% escaped506 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
TomSVaptchaHandleForm (inc\toms-vaptcha.php:59)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

TomS Vaptcha Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[toms_woo_register_form] inc\toms-vaptcha-woo-register.php:16
WordPress Hooks 41
actionTomSVaptchaExtraFormsinc\toms-vaptcha-ultimate-member.php:8
actionTomSVaptchaExtraFormsDatainc\toms-vaptcha-ultimate-member.php:9
actionum_after_form_fieldsinc\toms-vaptcha-ultimate-member.php:13
actionum_submit_form_errors_hook_logininc\toms-vaptcha-ultimate-member.php:14
actionum_after_form_fieldsinc\toms-vaptcha-ultimate-member.php:17
actionum_submit_form_errors_hook__registrationinc\toms-vaptcha-ultimate-member.php:18
actionum_after_password_reset_fieldsinc\toms-vaptcha-ultimate-member.php:21
actionum_reset_password_errors_hookinc\toms-vaptcha-ultimate-member.php:22
actionTomSVaptchaExtraFormsinc\toms-vaptcha-user-registration.php:8
actionTomSVaptchaExtraFormsDatainc\toms-vaptcha-user-registration.php:9
actionuser_registration_login_forminc\toms-vaptcha-user-registration.php:13
filteruser_registration_process_login_errorsinc\toms-vaptcha-user-registration.php:14
actionuser_registration_after_form_fieldsinc\toms-vaptcha-user-registration.php:17
actionuser_registration_after_submit_buttonsinc\toms-vaptcha-user-registration.php:18
actionuser_registration_lostpassword_forminc\toms-vaptcha-user-registration.php:21
actionTomSVaptchaExtraFormsinc\toms-vaptcha-woocommerce.php:8
actionTomSVaptchaExtraFormsDatainc\toms-vaptcha-woocommerce.php:9
actionwoocommerce_login_forminc\toms-vaptcha-woocommerce.php:13
filterwoocommerce_process_login_errorsinc\toms-vaptcha-woocommerce.php:14
actionwoocommerce_register_forminc\toms-vaptcha-woocommerce.php:17
filterwoocommerce_process_registration_errorsinc\toms-vaptcha-woocommerce.php:18
actionwoocommerce_lostpassword_forminc\toms-vaptcha-woocommerce.php:21
filterallow_password_resetinc\toms-vaptcha-woocommerce.php:22
actionwoocommerce_review_order_before_paymentinc\toms-vaptcha-woocommerce.php:25
actionwoocommerce_after_checkout_validationinc\toms-vaptcha-woocommerce.php:26
actioninitinc\toms-vaptcha.php:11
actionadmin_menuinc\toms-vaptcha.php:12
actionlogin_forminc\toms-vaptcha.php:16
filterwp_authenticate_userinc\toms-vaptcha.php:17
actionregister_forminc\toms-vaptcha.php:20
filterregistration_errorsinc\toms-vaptcha.php:21
actionlostpassword_forminc\toms-vaptcha.php:24
filterallow_password_resetinc\toms-vaptcha.php:25
actioncomment_forminc\toms-vaptcha.php:28
filterpreprocess_commentinc\toms-vaptcha.php:29
filterplugin_action_linksinc\toms-vaptcha.php:34
actionadmin_enqueue_scriptsinc\toms-vaptcha.php:39
actiontoms-wp_page_toms-vaptcha-settingsinc\toms-vaptcha.php:40
actionadmin_menutoms-vaptcha-home.php:23
actionadmin_enqueue_scriptstoms-vaptcha-home.php:34
actionadmin_footer_texttoms-vaptcha-home.php:38
Maintenance & Trust

TomS Vaptcha Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMar 4, 2022
PHP min version7.0
Downloads7K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

TomS Vaptcha Alternatives

TomS reCAPTCHA

TomS reCAPTCHA

toms-recaptcha

A
85

Integrated Google ReCaptcha for WordPress.Protect the login, register, lostpassword and comment forms. Support Woocommerce, Ultimate Member and more p …

600 No CVEs
SiteGuard WP Plugin

SiteGuard WP Plugin

siteguard

A
98

SiteGurad WP Plugin is the plugin specialized for the protection against the attack to the management page and login.

600K 2 CVEs
CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

A
100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs
Really Simple CAPTCHA

Really Simple CAPTCHA

really-simple-captcha

A
92

Really Simple CAPTCHA is a CAPTCHA module intended to be called from other plugins. It is originally created for my Contact Form 7 plugin.

300K No CVEs
Advanced Google reCAPTCHA

Advanced Google reCAPTCHA

advanced-google-recaptcha

A
98

Captcha protection against spam comments & brute force login attacks using Google reCAPTCHA.

200K 3 CVEs
Developer Profile

TomS Vaptcha Developer Profile

TomS Caprice

7 plugins · 1K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect TomS Vaptcha

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/toms-vaptcha/assets/css/admin.css/wp-content/plugins/toms-vaptcha/assets/css/tomswp.css

HTML / DOM Fingerprints

CSS Classes
toms-menu-itemtoms-wp-headertoms-menu-title-texttoms-dashboardtoms-menu-texttoms-wp-dashboardtoms-headertoms-logo+12 more
Data Attributes
data-toms-wp-dashboarddata-toms-headerdata-toms-logodata-toms-header-textdata-toms-current-activateddata-toms-items+9 more
JS Globals
window.toms_objectwindow.toms_json
FAQ

Frequently Asked Questions about TomS Vaptcha